device verity state is: ENABLED
I got above line in boot log. May I know, what it will do exactly? I have read in android source link, but did not understand.
Can you please help me.
Thanks in advance.
Android can use dm-verity to protect non-data partitions against manipulation (link, link).
The goal is to prevent an attacker (with physical access to the device) from inserting malicious code, e.g. into low-level Android services stored on the /system or /recovery partition.
For partitions marked with the verity flag in the fstab, at build-time the dm-verity hash tree of the partition is computed. The hash tree is signed with an RSA key and appended as meta-data to the partition. The public part of the RSA key is added to the boot partition.
At boot-time, the kernel verifies the integrity of the signed hash tree in the partition meta-data using the RSA public key stored in the boot partition. Then it can compute the hash tree of the partition and compare it to the hash tree from the meta-data. If there is a mismatch, the kernel refuses to boot.
Therefore, if an attacker manipulates the partition, the hash tree computed at boot-time will not match the hash tree from the partition meta-data. If the attacker also manipulates the hash tree from the partition meta-data, the signature validation with the RSA public key will fail.
Of course you then need an additional mechanism to ensure the integrity of the boot partition. This can be done with Secure-Boot-like mechanisms where the boot partition is again signed with another (RSA) key and the public part of that key is embedded at a lower level (vendor-specific). Such a chaining of verification mechanisms is referred to as a chain of trust. Ideally, you would want a chain of trust to extend down to the hardware level, with some vendor key being burned into the chip.